Privacy Policy

Last updated: 14 June 2026

Deucalion® ("we", "us", "our") operates the Deucalion® mobile application and web portal at deucalion.uk. This policy explains what data we collect, how we use it, and your rights under UK data protection law.

1. Data we collect

Account information — name, email address, phone number (optional), and professional certification details (e.g. SDI certification ID).

Inspection data — site details (name, address, contacts), system and asset information (serial numbers, specifications, photos), inspection records (dates, results, environmental readings, engineer signatures), and defect reports.

Photos and evidence — images you capture or upload during inspections. Stored securely and accessible only to you and your organisation.

AI processing inputs — audio recordings submitted for transcription, images submitted for text extraction (OCR), chat messages, inspection context, uploaded document text, and report or response drafts sent to AI-assisted features. We log usage metadata such as token counts, feature area, and cost estimates for quota management, reliability, and abuse prevention.

Device information — push notification tokens, device platform (iOS, Android, or web), and IP addresses recorded in our audit log.

Payment information — subscription tier and status, billing source, purchase history, credit-pack and seat-add-on records, Stripe customer/session/subscription/invoice identifiers, amounts, currency, and payment status. In-app subscriptions are processed by Apple or Google via RevenueCat. Web checkout, credit packs, organisation billing, hosted invoices, billing portal sessions, and seat add-ons are processed by Stripe where enabled. Deucalion® does not store full card numbers or CVC codes.

Waitlist entries — email address and company name submitted via the landing page.

2. How we use your data

• To provide the inspection, reporting, and compliance features of the app
• To generate certificates, quotes, and reports from your inspection data
• To process AI transcription, OCR, chat, search, report drafting, and document extraction requests
• To manage subscriptions, credit balances, organisation seats, invoices, refunds, cancellations, and usage quotas
• To send transactional emails (invitations, assignments, certificates, quotes)
• To send push notifications you have opted into
• To maintain audit logs for compliance and security
• To improve the service and fix errors

3. Legal basis for processing

We process your data under the following bases (UK GDPR):

• Contract performance — to provide the service you signed up for
• Legitimate interests — security, fraud prevention, service improvement, and audit logging
• Consent — for optional features like push notifications and waitlist registration

4. Third-party services

We use the following services to operate Deucalion®:

• Supabase (EU) — authentication, database hosting, and photo storage
• Anthropic (US) — AI assistant, analysis, and report drafting features via the Claude API
• OpenAI (US, where enabled) — search and knowledge-base embeddings for retrieval-assisted AI features
• LiteParse (where enabled) — PDF and document text extraction for knowledge-base and Sift workflows
• Resend (EU) — transactional email delivery
• RevenueCat (US) — subscription management and in-app purchase verification
• Stripe (US/EU) — web checkout, credit packs, organisation billing, hosted invoices, billing portal sessions, payment status, and refund/cancellation support
• Railway (US) — application hosting
• Cloudflare — DNS and domain management
• Plausible Analytics (EU) — privacy-friendly website analytics (no cookies, no personal data)
• Apple / Google — app distribution and payment processing

OpenAI and LiteParse are used only when the corresponding feature is invoked, such as retrieval-assisted knowledge search, document extraction, Sift processing, or operator-run knowledge-base ingestion. Contact support if you need confirmation of which optional AI or extraction data flows are active for your workspace.

Some data is transferred to processors outside the UK. Where this occurs, appropriate safeguards (such as Standard Contractual Clauses) are in place.

5. Data retention

We retain your data for as long as your account is active. Inspection data, organisation records, billing records, and audit logs may be retained for legal, tax, security, and compliance purposes. You can delete individual items such as photos and AI conversations where the app provides that control. Account export requests generate a downloadable export of profile, workspace, billing, access, and device/session metadata. Account deletion requests are scheduled with a 14-day grace period, during which you can cancel the request. After finalisation, we delete the Supabase Auth user, deactivate access, remove push tokens, disable API keys and webhooks, remove organisation memberships, and anonymise local account profile fields. Inspection records, photos, certificates, quotes, defect reports, and related compliance data may be retained where required by tax, audit, legal, regulatory, security, or organisation data-retention obligations.

6. Data security

All data is transmitted over HTTPS. Passwords are managed by Supabase Auth and never stored in our application. Photos are served via time-limited signed URLs (1-hour expiry). Access to inspection data is restricted to the owner and their organisation members.

7. Your rights

Under UK data protection law, you have the right to:

• Access your personal data
• Correct inaccurate data
• Delete your data (right to erasure)
• Object to processing based on legitimate interests
• Export your data in a portable format
• Withdraw consent for optional processing
• Lodge a complaint with the Information Commissioner's Office (ICO)

8. Children's privacy

Deucalion® is a professional tool for qualified engineers. We do not knowingly collect data from anyone under 16. If you believe we have, please contact us immediately.

9. Changes to this policy

We may update this policy from time to time. Material changes will be communicated via the app or email. The "last updated" date at the top reflects the most recent revision.

10. Contact

For privacy-related queries, contact us at privacy@deucalion.uk.